Claims
Claims are the facts applications read from DarkAuth tokens. Standard OIDC claims identify the user and token. DarkAuth-specific claims can add organization and authorization context.
Standard identity claims
Section titled “Standard identity claims”Common claims include:
iss: issuer.sub: user subject.aud: audience.exp: expiration.iat: issued at.email: email address when requested and available.name: display name when requested and available.
Applications should treat sub as the durable user key. Email can change.
Organization claims
Section titled “Organization claims”When organization context is resolved, tokens can include:
org_idorg_slugrolespermissions
Applications should check that the token organization matches the resource organization before authorizing actions.
Authentication context
Section titled “Authentication context”Tokens can include authentication method or context information such as whether MFA was used. High-risk applications can require recent or stronger authentication before allowing sensitive operations.
Scopes vs permissions
Section titled “Scopes vs permissions”Scopes describe what a client requested and was granted. Permissions describe what the user can do, usually within an organization. Applications often need to check both.